Social Engineering

Overview

Social engineering is the broad term for any cyber attack that relies on fooling the user into taking action or divulging information. Since such attacks rely on you, the user, to be successful, you must be alert to them. Think twice every time: is this real, or a trick? If you suspect that you've been targeted, don't just ignore it; instead, contact the IT helpdesk at x4357 or send an email to security@lbl.gov. It's likely other people at LBNL were targeted by the same attack - reporting it will help to protect the people who didn't recognize it.

Attacks

Telephone

Hi, This is the Helpdesk...

No one from LBNL will ever call you asking for your password.

The telephone can be a powerful tool for social engineering. Don't give out your password, no matter what they claim. Be very careful in allowing someone to remotely access your computer. A common scam involves at attacker pretending to be Microsoft or the Helpdesk. They then remote into your computer and install malware. If in doubt, hangup and call the IT helpdesk at x4357 or send an email to security@lbl.gov to verify

Look out for things like:

"Hi, this is the helpdesk, we need to get remote access to your computer?" "Hi, this is cyber security, there's a problem with your system, what's your password?" "Hi, this is travel, could you please read me your credit card number?"

Email

Hi,This email contains important information...

Think twice when you get email.

Phishing emails from banks and commercial websites are common, but sometimes a phishing email can be targeted at you more directly. Whether it appears to be from LBL, from a collaborator, or from DOE, emails can be convincingly forged. Knowing the sender is not sufficient to ensure that the email is safe.

If the email contains a link to another site...

If the email contains a link to another site, make sure it goes to the site you think it does. Place your mouse over the link in the email, does it go to the place you think it should, or does the link contain numbers? Is the link a misspelling of a real domain? If you're in doubt, try typing the name of the site into your browser instead of following the link. And as always, forward suspicious email to security@lbl.gov.

If the email contains an attachment...

If the email contains an attachment and you don't expect it, DON'T CLICK! Even seemingly harmless things like Word documents can contain malicious code. Send the email to security@lbl.gov. If you're suspicious and you can't safely delete the email (after forwarding it to security@lbl.gov), use other techniques to validate the email, such as calling the sender (after you've verified their identity).

It has happened here:

Just last year, a well written email was sent to 20 LBL employees claiming to be from "The View" telling the employee that they had been selected to be featured in an interview. The email contained a PDF attachment that claimed to contain a questionnaire to fill out - but in fact, the PDF exploited a previously undisclosed vulnerability in Acrobat. A large percentage of the recipients assumed it was a scam and forwarded it to security@lbl.gov - kudos to them. It's important to always keep in mind that the next email could be a well designed scam.

Media: CD's, DVD's, USB Sticks, ect.

Be wary of disks, usb sticks, and other things that arrive unexpectedly.

A CD arrives claiming to contain important information about DOE policies or DOE funding opportunities or a free usb memory stick arrives in the mail from a vendor you've never heard of: what do you do?

While we don't want anyone to stop interacting with the outside world, it's useful to know that all these scenarios represent risks. When you place a CD in a Windows box for instance, it often "autoruns" a particular file. If that file is malicious, your box could be compromised without you even knowing it.

Several parts of DOE have been targeted with just such an attack in the past year.

As in all the other cases, if you are ever suspicious, report it to security@lbl.gov. You may also be able to check the authenticity by visiting a known, trusted website to see if there are any indications that such a disk has been sent out.

The Web

Please enter your password ...

Are you sure the website you're on is the one you think it is?

IP addresses (192.168.1.1/lblauthenticate.html), misspellings (www.1b1.gov), fake websites (www.berkeleylaboratory.org), extra names (www.lbl.gov.whatever.org), and long confusing domains (abc.org/lbl.gov/webmail) are all ways people use to pretend to be legitimate websites.

Always look at the URL Bar and the Status Bar of your browser to try to discern whether the site you are visiting is the website you think it is.

It's easy to recreate the look and feel of the lbl website, but spoofing the key security features of the browser is harder. Look for the security indicators of your browser. Key indicators for Firefox, the Lab's Standard Browser, are below:

General

Email that purports to be from your Bank or Credit Card company asking you to update personal information

Email that claims to be from a shopping or auction site asking you to provide information about a purchase

Email that claims to have important information about a topic that interests you: for instance, about a recent crime in the area, that has a malicious attachment.

Targeted

A phone call that purports to be from the Help Desk asking you for your password.

An email that purports to be from computer security asking you to install a piece of software

A CD or USB Flash Device that arrives in the mail unexpectedly, claiming to be from LBL or DOE.

What can you do?

Separate your work life from your personal life: Don't use your @lbl.gov email address for personal banking or shopping. Use different passwords for your work and personal accounts.

Think twice every time: A little bit of awareness goes a long way. Stay alert about possible attempts to steal your information - be suspect of things that don't feel right.

Know the signs of a scam: While not fullproof, being aware of the signs of a scam may help you to spot one. If you're ever in doubt, ask! (security@lbl.gov, IT Helpdesk, your Computer Security Liaison).

Report it fast. If you ever suspect you've been targeted, report it to security@lbl.gov fast. Don't just delete or ignore it - it's possible someone else was attacked in the same way - reporting it might save them, or it might save the whole Lab.

Commons contains user-contributed content and
does not represent the position or endorsement of the Laboratory, DOE,
or the University of California. Your use of this site is subject to
our security and privacy policies.

A U.S. Department of Energy National Laboratory Operated by the University of California